Organizations or companies typically use a private communication network or intranet. A plurality of services or applications are then provided within the private network to client computing devices that are also connected to the private network. A connection to the private network may be direct by physically connecting the client to the private network or indirect by establishing a networking tunnel with the private network from outside the private network. Services or applications may for example be mail servers, file servers, Customer Relationship Management or CRM services, Enterprise Resource Planning or ERP services, document management services, etc.
Several solutions exist to prevent unauthorized access to such networking devices or applications. For example, firewalls and proxies can regulate and monitor what kind of traffic and how the traffic can traverse the network boundaries of the private network, thereby separating a public network such as a Wide Area Network from the private network. Network traffic managers such as for example firewalls or proxies may also be implemented within the private network to manage network traffic within the private network itself.
Published application no. U.S. 2012/0180120 discloses a method and a system for restricting access to a private network that allows for a context-based access of network resources by network users. The network resource may be an application, website, program, communication means, etc., available by accessing the private network. A request is sent to a network firewall to access a web application, where the web application is identified. A context template is created for the web application, and compared with the request to create a request context map. The request context map is compared to a request context rule on the network firewall. Access is provided to the web application when the request context map matches the request context rule.
Published application no. U.S. 2012/0180120 thus discloses to retrieve the context of the user or client computing device from the incoming packets themselves and then decides whether to block the incoming packet or not based on this context. A problem with this is that the firewall rules are dynamically generated based on the content of the packet, i.e., by deep packet inspection. Because of this, a lot of processing power is needed per handled packet. This may be particularly problematic when a large number of incoming packets must be handled. Furthermore, a large delay exists between the capture of the incoming packet and the moment that the decision for allowing or blocking it is taken.